Oracle: We’re investing in Java security

In a blog post yesterday, Oracle outlined the steps its been taking and the investments it’s been making to ensure the security of Java, its beleaguered open-source programming language.

Starting in October 2013, the company will release quarterly security patches. It also says it will respond more quickly to security issues in the future and will do better at ensuring vulnerabilities don’t make it into the codebase in the first place using automated security testing tools.

“The company has made a number of product enhancements to default security and provide more end user control over security,” writes Oracle Java software development lead Nandini Ramani on the company blog.

For the enterprise, which still relies heavily on Java, Ramani said, “The public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers,” implying the problem was more with PR than security on the server side. In response, Oracle introduced Server JRE as a separate distro.

The trouble started nearly a year ago, when Oracle fixed a gaping Java security hole it may have known about for months. Slow security is no security, and Oracle’s investment at that time wasn’t nearly good enough, and that vulnerability set the stage for 2013, when a string of security issues popped up.

In January, the world found out about a Java vulnerability that would allow attackers to steal information or hook up a botnet to any user with a Java plugin-running browser. At that point, the Department of Homeland Security and Apple issued memos saying no one should use Java. Oracle issued a patch, but like a junkie with a $10 habit and a $5 stash, DHS said the fix was insufficient.

Then, after an attack in February, Facebook disabled Java in a high-profile vote of no confidence. (Microsoft and Apple underwent similar attacks.)

“It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment,” Ramani said in conclusion.

“Oracle’s effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.”